Google has patched a long-running critical flaw on many MediaTek devices, which can be exploited to enable temporary root access. It was reported that the flaw -- dubbed MediaTek-su -- has been out in the wild for close to a year.
Tracked as CVE-2020-0069, the vulnerability affects the MediaTek Command Queue driver, and was first discovered in February 2019 by a developer looking for a way to root Amazon's Fire tablets. That original discovery led to the creation of a script that could be used to temporarily gain root access on Fire tablets.
While this was designed to allow rooting of Amazon devices, the exploit works on any unpatched Android device with Linux Kernel versions 3.18, 4.4, 4.9, or 4.14 running Android versions 7 Nougat, 8 Oreo, or 9 Pie with MediaTek chips - a full list shared by XDA Developers includes Amazon, Nokia and LG. The exploit only allows root access until the next reboot of the device.
XDA Developers reported that the security vulnerability appeared in developer forums as early as April 2019.
While Google has now patched the flaw, some OEMs had already issued fixes based on MediaTek patches, including Amazon, while other manufacturers have modified the kernel to defeat the exploit, including Vivo, Huawei/Honor, Oppo, and Samsung. MediaTek devices running Android 10 are not vulnerable since "the access permission of CMDQ device nodes is also enforced by SELinux", according to MediaTek.
“It is a known secret that Android devices are full of vulnerabilities and it is a constant battle between manufacturers & carriers to discover and patch them. The main challenge is that the Android OS is part of a complex ecosystem where manufacturers, network carriers, and end-users must work in perfect harmony to discover and patch security flaws before cyber criminals discover and exploit them for malicious gains. This won't go away anytime soon,” said Marco Essomba, Founder, iCyber-Security.
As more organisations adopt a BYOD policy, a defence in depth approach is key to staying one step ahead of cyber-criminals, Essomba explained.
“For organisations that allow their employees to bring their own devices, including Android, implementing a corporate mobile device management policy is key. This allows organisations to enforce mobile device security policies. For example, the corporate policy can detect rooted devices and block access to corporate apps or sensitive data. Moreover, the corporate policy can detect and stop devices that are not patched or not running the latest security updates,” he said.
The vulnerability has been documented as being used in the wild. A security report from TrendMicro in January highlighted several Play Store apps that were using either the MediaTek-su or CVE-2019-2215 to gain root access.
"Vulnerabilities in Android may not be uncommon, but it is rarer to find examples of such severity being actively exploited in the wild. Such an exploit can be used to create 'auto-rooting' malware that can easily be embedded and distributed in seemingly innocuous apps. We saw similar techniques used with LevelDropper that was present in the Play Store in 2016,” said Tom Davison, technical director - international at Lookout.
“Once installed, infected apps can silently root devices, giving attackers numerous capabilities, such as further app installation, end user surveillance or data theft, all without the device owner being aware. The advice to users is to install the latest security patches, avoid downloading apps from unknown stores or via links and be vigilant for signs of abnormal device behaviour. For added peace of mind, use a mobile endpoint security solution that can monitor for app behaviour and device compromise. Enterprises should adopt a mobile vulnerability management program, extending day-to-day management of security patches to their mobile fleet," he added.
The full list of devices originally affected by the MediaTek-su bug:
Acer Iconia One 10 B3-A30
Acer Iconia One 10 B3-A40
Alba tablet series
Alcatel 1 5033 series
Alcatel 3L (2018) 5034 series
Alcatel 3T 8
Alcatel A5 LED 5085 series
Alcatel A30 5049 series
Alcatel Idol 5
Alcatel/TCL A1 A501DL
Alcatel/TCL LX A502DL
Alcatel Tetra 5041C
Amazon Fire 7 2019 (up to Fire OS 188.8.131.52)
Amazon Fire HD 8 2016 (up to Fire OS 184.108.40.206)
Amazon Fire HD 8 2017 (up to Fire OS 220.127.116.11)
Amazon Fire HD 8 2018 (up to Fire OS 18.104.22.168)
Amazon Fire HD 10 2017 (up to Fire OS 22.214.171.124)
Amazon Fire HD 10 2019 (up to Fire OS 126.96.36.199)
Amazon Fire TV 2 (up to Fire OS 188.8.131.52)
ASUS ZenFone Max Plus X018D
ASUS ZenPad 3s 10 Z500M
ASUS ZenPad Z3xxM(F) MT8163-based series
Barnes & Noble NOOK Tablet 7" BNTV450 & BNTV460
Barnes & Noble NOOK Tablet 10.1" BNTV650
Blackview A8 Max
Blackview BV9600 Pro (Helio P60)
BLU Life Max
BLU Life One X
BLU R1 series
BLU R2 LTE
BLU Tank Xtreme Pro
BLU Vivo 8L
BLU Vivo XI
BLU Vivo XL4
BQ Aquaris M8
Coolpad Cool Play 8 Lite
Dragon Touch K10
HiSense Infinity H12 Lite
Huawei GR3 TAG-L21
Huawei Y6II MT6735 series
Lava Iris 88S
Lenovo C2 series
Lenovo Tab E8
Lenovo Tab2 A10-70F
LG K8+ (2018) X210ULMA (MTK)
LG K10 (2017)
LG Tribute Dynasty
LG X power 2/M320 series (MTK)
LG Xpression Plus 2/K40 LMX420 series
Meizu Pro 7 Plus
Nokia 1 Plus
Nokia 3.1 Plus
Nokia 5.1 Plus/X5
Onn 7" Android tablet
Onn 8" & 10" tablet series (MT8163)
OPPO F5 series/A73 (Android 8.x only)
OPPO F7 series (Android 8.x only)
OPPO F9 series (Android 8.x only)
Sony Xperia C4
Sony Xperia C5 series
Sony Xperia L1
Sony Xperia L3
Sony Xperia XA series
Sony Xperia XA1 series
Southern Telecom Smartab ST1009X (MT8167)
TECNO Spark 3 series
Umidigi F1 series
Xiaomi Redmi 6/6A series
ZTE Blade A530
ZTE Blade D6/V6
ZTE Quest 5 Z3351